selinux eradicator?
Jim Cornette
fc-cornette at insight.rr.com
Fri Jun 29 02:27:06 UTC 2007
Mike McCarty wrote:
> Partially, my point is that any time one modifies any package, no
> matter for what reason, there is the opportunity to introduce
> defects. Therefore, all applications which are affected by SELinux,
> potentially all of them, now have an opportunity for defects to be
> introduced; a circumstance which would not occur if not for SELinux.
An earlier problem with at-spi took down a large range of programs
because of a chain of programs linked to it. This has little to do with
SELinux except to say that vulnerabilities which could have a domino
effect could be halted from action if policy prevented abnormal
operation from vulnerable programs.
>
> Also, SELinux is itself a large chunk of code, with its own defects.
No doubt that it can become better as problems are spotted and addressed.
>
> My bottom line: There is not overwhelming evidence that SELinux
> provides a net wothwhile increase in security of non secure systems.
> As long as this situation continues, then there is room for people
> like Karl not to want it on his machine.
>
> I'm not lobbying for anyone to remove it. I'm not trying to convince
> anyone that it's a bad thing. I'm lobbying for people to have a CHOICE
> whether to install it, without also having to exercise the choice to
> use a different distro. I thinks that's only reasonable.
Why anyone would switch distros because of SELinux integration compared
to the multimedia digital writes issues preventing out of the box
multimedia support.
If they want it completely off of their systems maybe a new distro fork
can be born from their desire to eradicate SELinux completely from their
systems.
Jim
>
> Mike
More information about the fedora-list
mailing list